libotr: Arbitrary code execution — GLSA 201309-07

A buffer overflow vulnerability in libotr could allow a remote attacker to execute arbitrary code or cause a Denial of Service condition.

Affected packages

net-libs/libotr on all architectures
Affected versions < 3.2.1
Unaffected versions >= 3.2.1

Background

libotr is a portable off-the-record messaging library.

Description

Multiple heap-based buffer overflows are present in the Base64 decoder of libotr.

Impact

A remote attacker could send a specially crafted OTR message, resulting in arbitrary code execution with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All libotr users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libotr-3.2.1"
 

References

Release date
September 15, 2013

Latest revision
September 15, 2013: 1

Severity
high

Exploitable
remote

Bugzilla entries